Refactor DRAFT

The Review Phase is the execution engine of the Canopy Incident Response Data Mining (IRDM) framework. Following the scoping performed in the Assessment phase, Review focuses on the simultaneous execution of the Data Mining Track and the Legal Compliance Track.

During this phase, the project moves from identifying “high-probability” documents to the granular extraction of personal data. This phase is characterized by a “locked” legal protocol to ensure the process is defensible, consistent, and avoids unauthorized scope creep.

The primary objective is to transform flagged documents into non-unique qualified entities linked to specific individuals in accordance with established law.

• Granular Extraction: Identify and extract specific PII/PHI elements.
• Entity Linking: Explicitly link data elements (e.g., an SSN) to a specific individual (the “Subject”).
• Volume Reduction: Narrow the “potential” hits identified in Assessment to non-unique qualified entities.

• Protocol Adherence: Strictly apply the Legal Review Protocol approved during Assessment.
• Defensibility: Ensure every extraction meets the “notifiable” criteria established by counsel.
• Scope Integrity: Prevent “over-collection” of data that falls outside the jurisdictional requirements of the incident.

The Review phase begins once the Legal Review Protocol is formally signed off by counsel. Requirements include:

• Finalized Review Set: All documents tagged as ready_for_review.
• Defensibility Validation: Sampling report confirming zero False Negatives in the out_of_scope set.
• Approved Review Protocol: Signed-off definitions for Primary, Secondary, and Dependent data elements.
• Validated Mining Triggers: Clear legal rules on what combinations (e.g., Name + DOB) mandate a notification entry.
• Reviewer Calibration: Personnel trained on the specific jurisdictional requirements of the project.

The extraction of PII/PHI executed through:

• Automated Review (GenAI): Utilizing Canopy’s AI to identify and extract data points.
• Manual Review: Expert human reviewers handling complex or ambiguous files (e.g., handwriting or structured databases).

Maintaining the integrity of the legal track:

• Reviewers apply the specific rules of the Review Protocol.
• Change Management: If the review uncovers unexpected data types, the team must halt and return to a “Second-Pass Assessment” to update the protocol legally before resuming.

• Legal Alignment: Review Managers sample extracted data to ensure accuracy and adherence to the protocol.
• Error Mitigation: Identifying and correcting mis-linked entities or omissions before the data is finalized.

• Monitoring the “burn-down” of the review set against statutory notification deadlines.

The phase is considered complete when the following legal and data milestones are met:

• Exhaustive Review: 100% of the ready_for_review set has been processed.
• Entity Qualification: All potential PII is either confirmed as a non-unique qualified entity or dismissed based on the legal protocol.
• Readiness for Consolidation: Data is formatted as non-unique qualified entities ready for de-duplication.
• Record of Compliance: Documentation confirms the review was performed strictly within the approved legal scope.

Next Phase: Consolidation (The Qualification)